Beanstalk Part 1

Beanstalk

DeFiHardhatOracleProxyUpdates

100,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Reentrancy Vulnerability in Weather.sol

heim

Summary

High-risk reentrancy vulnerability in the sop function of the Weather contract. The vulnerability arises from external calls made within the function before modifying state variables. This sequence of operations could potentially allow for reentrancy attacks.

Vulnerability Details

The vulnerability occurs in the sop function, where external calls are made to various functions such as C.bean().mint, C.bean().approve, and IWell(sopWell).swapFrom. These calls are followed by modifications to state variables in the rewardSop function. This pattern could enable reentrancy attacks if the called contracts re-enter the Weather contract before state modifications are completed.

Code snippet: (contracts/beanstalk/sun/SeasonFacet/Weather.sol#181-213)

function sop() private {

// calculate the beans from a sop.

// sop beans uses the min of the current and instantaneous reserves of the sop well,

// rather than the twaReserves in order to get bean back to peg.

address sopWell = s.sopWell;

(uint256 newBeans, IERC20 sopToken) = calculateSop(sopWell);

if (newBeans == 0) return;

uint256 sopBeans = uint256(newBeans);

uint256 newHarvestable;

// Pay off remaining Pods if any exist.

if (s.f.harvestable < s.r.pods) {

newHarvestable = s.r.pods - s.f.harvestable;

s.f.harvestable = s.f.harvestable.add(newHarvestable);

C.bean().mint(address(this), newHarvestable.add(sopBeans));

} else {

C.bean().mint(address(this), sopBeans);

}

// Approve and Swap Beans for the non-bean token of the SOP well.

C.bean().approve(sopWell, sopBeans);

uint256 amountOut = IWell(sopWell).swapFrom(

C.bean(),

sopToken,

sopBeans,

address(this),

type(uint256).max

);

rewardSop(amountOut);

emit SeasonOfPlenty(s.season.current, sopWell, address(sopToken), amountOut, newHarvestable);

}

Impact

The impact of this vulnerability is assessed as high. Successful exploitation could enable reentrancy attacks, allowing an attacker to manipulate the contract's state and exploit unintended behaviors.

Tools Used

The vulnerability was detected using the Slither tool, specifically its reentrancy vulnerability detection feature.

Recommendations

Apply Check-Effects-Interactions Pattern: Ensure that state modifications are performed before any external calls to prevent reentrancy attacks. Review the sequence of operations in the sop function to ensure that state modifications occur before any external calls.

Use ReentrancyGuard: Consider implementing the ReentrancyGuard pattern in the sop function and other relevant functions to prevent reentrancy attacks. This pattern can help mitigate the risk of reentrancy vulnerabilities by ensuring that functions are not re-entered recursively.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

100,000 USDC

nSLOC

5,776

17 USDC / LOC

High Medium

95,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.